----- Forwarded message from Stefanos Harhalakis <[EMAIL PROTECTED]> -----
X-Original-To: [EMAIL PROTECTED]
From: Stefanos Harhalakis <[EMAIL PROTECTED]>
To: Justin Pryzby <[EMAIL PROTECTED]>
Subject: Re: Bug#290803: login: /var/log/btmp is created with insecure
permissions
Cc: [EMAIL PROTECTED]
X-Spam-Score: 0.5 (/)
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on steelfarms.net
X-Spam-Level:
X-Spam-Status: No, hits=0.9 required=5.0 tests=FROM_ENDS_IN_NUMS autolearn=no
version=2.63
On Sunday 16 January 2005 22:24, Justin Pryzby wrote:
> On Sun, Jan 16, 2005 at 09:51:44PM +0200, Stefanos Harhalakis wrote:
> > Package: login
> > Version: 1:4.0.3-30.7
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> >
> >
> > It seems that /var/log/btmp is created as a world readable file.
> > This is insecure (and it is reported by 'tiger') because this file
> > contains failed logins , including unknown usernames.
>
> Aren't the usernames alwyas visible in /etc/password?
>
> > It is possible for a user to see the root password (and others too)
> > by running /usr/bin/lastb.
>
> lastb isn't show me any passwords; just valid usernames as seen in
> passwd and dates.
It also contains unknown usernames. This includes any logins that you've
entered the password (or something else) as the username. If you enter
"test123" as the username then the btmp will contain the word 'test123' which
can be your root or user password.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
